Paul Ebersman wrote on 2021-09-30 14:30:
... NTAs in production use aren't even vaguely new. They've been in wide use for 8-10 years that I'm aware of. They are part of why folks like google, cloudflare, comcast et al are willing to do DNSSEC validation in production.
i know that. i just don't like it. without backpressure, sloppiness will normalize. (always.)
Doing it automatically is bad, as per RFC 7646, but it is a valid response if it's a large site and mistake rather than malicious.
when considering only one's own ring queue / ticket queue, that's certainly so.
i hope that there's a long enough long tail on NTA deployment that the cost of getting one's keys or signatures mixed up is still horrific. i don't know how to measure that.
vixie -- Sent from Postbox <https://www.postbox-inc.com>
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
